Its not really a problem with commons-collections and unfair to color it as their issue. Its like blaming the library that is part of a ROP chain for the exploit. The issue is what gets you in first, which is instantiating objects without any thought as to what they are from un-trusted sources.
Something that is called out in the Java secure coding guidelines:
That wasn't anti-Java snark. I was complaining that the headline format suggests some unusual thing in common for those projects. But it would immediately occur to you that they are all Java-based.
Something that is called out in the Java secure coding guidelines:
http://www.oracle.com/technetwork/java/seccodeguide-139067.h...
and is something that goes way back in many languages. It seems to be a vuln pattern that keeps getting repeated sadly.